Package Exports
- osv-ui/src/scanner.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (osv-ui) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
osv-ui
A beautiful, zero-config visual CVE dashboard for npm, Python, Go, Rust, Java, PHP, and Ruby projects.
One command. No signup. No API key. Runs 100% locally β your code never leaves your machine.
π»π³ TiαΊΏng Viα»t Β· πΊπΈ English Β· π¨π³ δΈζ Β· π―π΅ ζ₯ζ¬θͺ
The problem
$ npm audit
# ... 300 lines of this ...
# moderate Regular Expression Denial of Service in semver
# package semver
# patched in >=7.5.2
# ...
# 12 vulnerabilities (3 moderate, 6 high, 3 critical)Nobody reads that. Security gets ignored. Dependencies stay vulnerable.
The solution
npx osv-uiβ Opens a dashboard. Every CVE, every fix, all your services. Done.
Why give it a try?
- Zero-config: No complex setup, no signup, no API key required.
- Privacy First: Analysis is done 100% on your machine.
- Fast & Visual: Real-time Risk Scores, vulnerability charts, and clear upgrade guides in seconds.
- Multi-platform: Native support for Node.js (npm), Python, Go, Rust, Java, PHP, and Ruby.
Features
| π Multi-Ecosystem | Scans package-lock.json, pnpm-lock.yaml, yarn.lock, Pipfile.lock, poetry.lock, requirements.txt, go.sum, Cargo.lock, pom.xml, composer.lock, Gemfile.lock |
| π‘ Live CVE data | Powered by OSV.dev β updated daily from NVD, GitHub Advisory, PyPI Advisory. No API key. |
| π’ Multi-service | Scan your entire monorepo in one command β frontend, backend, workers, ML services |
| π Fix guide | Dependabot-style upgrade table: current version β safe version + one-click copy command |
| π Built-in REST API | Power your own security dashboards with GET /api/data or CLI export flags |
| π― Risk score | 0β100 per service so you know where to focus first |
| π CVE drill-down | Click any row β CVSS score, description, NVD link, GitHub Advisory link |
| π Dark Mode | Eye-friendly security audits, day or night |
Quick start
Scan current directory:
npx osv-uiScan a monorepo (multiple services at once):
npx osv-ui ./frontend ./api ./worker ./ml-serviceAuto-discover all services under the current directory:
npx osv-ui -dAdd to your package.json scripts:
{
"scripts": {
"audit:ui": "npx osv-ui",
"audit:all": "npx osv-ui ./frontend ./api ./worker"
}
}--discover, -d Auto-find service dirs that contain a supported manifest
--port=2003 Use a custom port (default: 2003)
--json[=file] Save report as JSON without opening browser (defaults to osv-report.json)
--html[=file] Save report as HTML without opening browser (defaults to osv-report.html)
--no-open Don't auto-open the browser
--offline Skip OSV.dev lookup β parse manifests only
-h, --help Show help messageπ€ AI Agent Integration (MCP)
osv-ui is now a Model Context Protocol (MCP) server. This allows AI agents like Claude Desktop, Cursor, and Claude Code to:
- Scan your project for CVEs automatically.
- Open the visual dashboard for you to review findings (Human-in-the-loop).
- Apply fixes after your explicit confirmation.
Quick setup (npx):
{
"mcpServers": {
"osv-ui": {
"command": "npx",
"args": ["-y", "osv-ui-mcp"]
}
}
}See the MCP Package README for detailed setup instructions.
π Powerful built-in API
osv-ui isn't just a dashboard; it's a security data engine.
Once the dashboard is running, you can pull the raw security data for your whole project:
# Get full JSON payload for all services
curl http://localhost:2003/api/data
# Use it in your custom scripts
curl -s http://localhost:2003/api/data | jq '.[0].vulns'Supported manifest files
| Ecosystem | Files |
|---|---|
| npm / JS | package-lock.json Β· pnpm-lock.yaml Β· yarn.lock |
| Python | requirements.txt Β· Pipfile.lock Β· poetry.lock Β· pyproject.toml Β· uv.lock |
| Go | go.sum |
| Rust | Cargo.lock |
| Java | pom.xml (Maven) |
| PHP | composer.json Β· composer.lock |
| Ruby | Gemfile Β· Gemfile.lock |
More ecosystems coming β see Roadmap.
How it works
Your project files
β
ββ package-lock.json βββ
ββ Pipfile / poetry βββ€βββΊ parser βββΊ package list
ββ go.sum / Cargo.lock βββ
β
βΌ
OSV.dev batch API (free, no key)
β
βΌ
CVE matches + fix versions
β
βΌ
Express server β browser dashboard
http://localhost:2003CVE data comes from OSV.dev β a free, open database maintained by Google that aggregates:
- πΊπΈ NVD β NIST National Vulnerability Database
- π GitHub Advisory Database (GHSA)
- π PyPI Advisory Database
- π¦ npm Advisory Database
- π¦ RustSec Β· Go Vuln DB Β· OSS-Fuzz Β· and more
Updated daily. No account. No rate limit. No vendor lock-in.
Works great alongside osv-scanner (Google)
osv-ui and osv-scanner use the same OSV.dev data source. osv-ui adds the visual layer that osv-scanner lacks:
- Browser dashboard instead of terminal output
- Multi-service sidebar
- Dependabot-style upgrade guide with copy commands
vs alternatives
| osv-ui | npm audit |
Snyk | Dependabot | |
|---|---|---|---|---|
| Visual dashboard | β | β terminal only | β | β |
| npm support | β | β | β | β |
| Python support | β | β | β | β |
| Multi-service in one view | β | β | β paid | β |
| No signup required | β | β | β | β |
| Works on GitLab Free | β | β | β | β |
| Self-hosted / local | β | β | β | β |
| Fix commands | β | partial | β | β |
| Open source | β | β | β | β |
GitLab CI β block deploys on critical CVEs
No Dependabot on GitLab Free? Add this to .gitlab-ci.yml:
audit:
stage: test
image: node:20-alpine
script:
- npm audit --json > /tmp/audit.json || true
- |
node -e "
const r = require('/tmp/audit.json');
const crit = Object.values(r.vulnerabilities || {})
.filter(v => v.severity === 'critical').length;
if (crit > 0) {
console.error('BLOCKED: ' + crit + ' critical CVE(s). Run: npx osv-ui');
process.exit(1);
}
console.log('OK: no critical vulnerabilities');
"
artifacts:
paths: [/tmp/audit.json]
when: alwaysRequirements
- Node.js >= 16
- Internet access for OSV.dev queries β or use
--offline - npm projects: run
npm installfirst sopackage-lock.jsonexists - Python projects: any of the supported manifest files listed above
Roadmap
All contributions are welcome. If you want to work on something, open an issue first so we can coordinate.
- Go support β parse
go.sum/go.mod - Rust support β parse
Cargo.lock - Java / Maven β parse
pom.xml - PHP / Composer β parse
composer.lock - Ruby / Bundler β parse
Gemfile.lock - Export report β save as HTML / JSON
- Dark mode β eye-friendly dashboard UI
- GitHub Actions β post a CVE diff comment on PRs
- SBOM export β CycloneDX / SPDX format
- Watch mode β re-scan on manifest file changes
- Slack / webhook β notify on new critical CVEs
Contributing
This project is built by the community. All skill levels welcome.
Good first issues:
- Add Java/Maven parser (
pom.xml) β follow the pattern insrc/parsers.js - Write unit tests for the parsers
- Improve Python parser edge cases
# Clone and run locally
git clone https://github.com/toan203/osv-ui
cd osv-ui
npm install
# Run against your own project
node bin/cli.js /path/to/your/project
# Run against multiple services
node bin/cli.js ./frontend ./backendPlease read CONTRIBUTING.md for code style and PR process.
License
MIT β use it, fork it, embed it, build on it. Attribution appreciated but not required.
Did osv-ui catch a real CVE in your project?
A β helps other developers find this tool.
